-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathreadme.txt
176 lines (156 loc) · 7.52 KB
/
readme.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
################################################### PROJECT DESCRIPTION SECTION ############################################################
Project contains following components and layers
1) DAL - data access layer containing:
1.1) Context interface and it Mock implementation, Context is a Collection of IRepository<>
1.2) Repository interface and it basic implementation
1.3) Entities - persistent classes (Role, User)
2) Authorization:
2.1) Internal basic authorization
2.2) OAuth2 with internal authorization server
2.3) OAuth2 with KeyCloak (\src\main\resources\application.yml) and
OpenAm (src\main\resources\configsBackups\OpenAm_Application) authorization server
############################################################################################################################################
########################################################## OAUTH2 TERMS ####################################################################
Resource Owner — an entity that is able to grant access to its protected resources
Authorization Server — grants access tokens to Clients after successfully authenticating Resource Owners and obtaining their authorization
Resource Server — a component that requires an access token to allow, or at least consider, access to its resources
Client — an entity that is capable of obtaining access tokens from authorization servers
Spring:
@EnableResourceServer configures component as entity that can obtain access_token (in my final case it External Identity Server = KeyCloak or OpenAm)
@EnableOAuth2Sso makes application an OAuth2 client
############################################################################################################################################
#################################################### INTERNAL OAUTH2 SECTION ###############################################################
Application deploying on localhost:8080, context path is /
Therefore if we try to get resource /api/users we send HTTP GET on localhost:8080/api/users, but without Oauth2 token we getting
401 Response with following JSON:
{
"error": "unauthorized",
"error_description": "An Authentication object was not found in the SecurityContext"
}
So if we would like to pass authentication we shold
1) Issue new token using basic authorization:
Send POST localhost:8080/oauth/token
with Basic Authorization (see globalUserDetails, actually it is local stored in AuthorizationService code credentials - mjolnir : 12345678)
header with content-type - x-www-form-url-encoded (application/x-www-form-urlencoded)
body content is key-value pairs:
username : root
password : 123
grant_type : password
Response is: 200 OK with body
{
"access_token": "1c9c15d6-302c-4729-826c-257594330396",
"token_type": "bearer",
"refresh_token": "fc854cbf-5f57-4011-8697-47eeb8757151",
"expires_in": 4989,
"scope": "read write trust"
}
2) Accessing protected resource using access_token (1c9c15d6-302c-4729-826c-257594330396)
with Authorization type Bearer with value = access_token
to localhost:8080/api/users and i am getting test output:
[
{
"id": 1,
"userName": "admin",
"passwordHash": "$2a$10$aG04e37GbFM27mPjiEILEuJPd7CzGuKkcHpW7IaVBlfaOOwxf5MDm",
"firstName": "ADMIN",
"lastName": "ADMIN",
"roles": [
{
"id": 1,
"roleName": "ADMIN"
},
{
"id": 2,
"roleName": "USER"
}
],
"rolesRepresentation": [
"ADMIN",
"USER"
]
},
{
"id": 1,
"userName": "root",
"passwordHash": "$2a$10$XXAecCz1UHUySSeepljbdeUopL7VszH4dip8yWKySM3JcOIoBytw.",
"firstName": "SUPERUSER",
"lastName": "SUPERUSER",
"roles": [
{
"id": 1,
"roleName": "ADMIN"
},
{
"id": 2,
"roleName": "USER"
}
],
"rolesRepresentation": [
"ADMIN",
"USER"
]
},
{
"id": 1,
"userName": "evillord",
"passwordHash": "$2a$10$Ybwt13dpX9qeWQuQofI7K.nPkUWS/3/0ib6CmCuyThyvPHojcA88q",
"firstName": "Michael",
"lastName": "Ushakov",
"roles": [
{
"id": 2,
"roleName": "USER"
}
],
"rolesRepresentation": [
"USER"
]
}
]
###########################################################################################################################################
######################################################## OPEN AM SECTION ##################################################################
OpenAM provides the following three OAuth 2.0 endpoints with the last one, tokeninfo, used for validating tokens:
My OpenAM was deployed on localhost:8899 at context path /OpenAM-14.4.2
Therefore OpenAm base address is: http://localhost:8899/OpenAM-14.4.2
Authorize endpoint: HTTP POST http://localhost:8899/OpenAM-14.4.2/oauth2/authorize?realm=/abcdemo (using for SSO)
First step is to get access token (Realm is abcdemo)
HTTP POST http://localhost:8899/OpenAM-14.4.2/oauth2/access_token?realm=/abcdemo
You'll receive following json:
{
"access_token": "e8ec0e37-42d4-4df5-b2e5-bfbaefcf6374",
"refresh_token": "c1ebed79-731e-4ab8-9f03-a8f3ab222e29",
"scope": "local",
"token_type": "Bearer",
"expires_in": 3599
}
For other operation you should use received OAuth2 token as Bearer %token%
HTTP GET http://localhost:8899/OpenAM-14.4.2/oauth2/userinfo?realm=/abcdemo
You'll receive following JSON on userInfo request:
{
"sub": "mjolnir"
}
###########################################################################################################################################
####################################################### KEY CLOAK #########################################################################
My KeyCloak server is running on http://127.0.0.1:8890/, realm is master
it is possible to see endpoints here
Token generation Endpoint is: http://127.0.0.1:8890/auth/realms/master/protocol/openid-connect/token
we like for openAm sending data through body as x-www-form-urlencoded and we sending
(client_id, client_secret, grant_type, username, password and scope)
UserInfo endpoint is - http://127.0.0.1:8890/auth/realms/master/protocol/openid-connect/userinfo
UserInfo data is:
{
"sub": "d2f8b2b7-baab-42df-9567-cc2871dc1ff8",
"email_verified": false,
"user_name": "m_ushakov",
"name": "Mikhail Ushakov",
"preferred_username": "m_ushakov",
"given_name": "Mikhail",
"family_name": "Ushakov"
}
###########################################################################################################################################
############################################################## RESOURCES ##################################################################
OAuth protocol description: https://tools.ietf.org/html/rfc6749#section-3
OAuth + spring (use vpn here): https://www.baeldung.com/spring-security-oauth
Spring Configuration: https://docs.spring.io/spring-boot/docs/current/reference/html/boot-features-external-config.html
Way of what to switch (use vpn here): https://www.baeldung.com/spring-security-oauth2-enable-resource-server-vs-enable-oauth2-sso
###########################################################################################################################################